Enrich threat observables with VirusTotal

  • Latest Dynatrace
  • How-to guide
  • Preview

The Dynatrace integration with VirusTotal brings threat intelligence context into alerts and detection investigations to help organizations combat online abuse, such as cyber-attacks, spamming, and other malicious activities.

With observable enrichment with reputation generated from the threat information provided by VirusTotal, you can perform more efficient security investigations and automate alert triaging, reducing the noise with threat-aware prioritization.

Hub

Explore in Dynatrace Hub

Enrich observables with threat intelligence from VirusTotal.

How it works

how it works

Dynatrace integration with VirusTotal is an app that you can install from Dynatrace Hub.

The app delivers a workflow action for observable enrichment in Workflows.

Once the app is installed and configured

  1. Various consumer apps can perform an on-demand enrichment of observables, such as IP addresses.

  2. During the enrichment, Dynatrace reaches out to VirusTotal to perform the observable enrichment.

  3. The threat intelligence context is displayed within the consumer apps or in Workflows.

Prerequisites

See below for the VirusTotal and Dynatrace requirements.

VirusTotal requirements

Register with VirusTotal and create an API v3 key.

Dynatrace requirements

The following IAM permissions are required:

  • app-engine:apps:run
  • app-settings:objects:read
  • document:documents:read
  • settings:objects:read
  • storage:system:read
  • security-intelligence:enrichments:run

To run the enrichment workflow action, all the permissions above need to be enabled in Workflows as well.

  1. Go to the settings menu in the upper-right corner of Workflows and select Authorization settings.
  2. In Secondary permissions, search for and select the above-listed permissions.
  3. Select Save.

Get started

  1. In Dynatrace, open Dynatrace Hub.

  2. Look for VirusTotal and select Install.

  3. Select Set up , then select Configure new connection.

  4. Follow the on-screen instructions to set up the connection using the API key obtained in Prerequisites.

    Allowed outbound connections are extended automatically with www.virustotal.com.

    1. In Settings, go to Preferences > Limit Outbound Connections.
    2. Select Add item and add the domain.
    3. Select Save changes.

  5. Test the connection to ensure the correct configuration and save it.

Use cases

Once you set up the VirusTotal integration, you can enrich observables, such as IP addresses, with threat intelligence context.

Key use cases include:

  • IP enrichment directly from investigation results in the Security Investigator app to accelerate threat validation and streamline case triage. For instructions, see Enrich IP addresses.

  • Automated threat-alert triaging

  • Threat-informed security investigations Coming soon

FAQ

Which observable types are currently supported?

Supported observable types: IP addresses (more coming soon).

How will my VirusTotal API quotas will be affected from this integration?

For every new observable enrichment, we perform a single API call.

Related tags
Threat Observability